Model answer: Internal audit is a continuous, management-facing function that evaluates the effectiveness of risk management, internal controls, and governance processes, reporting to the Audit Committee or Board. External audit is a periodic, statutory function focused on expressing an opinion on the truth and fairness of financial statements, reporting to shareholders.

Key distinction to mention: internal audit looks at the design and operating effectiveness of processes year-round and can audit operational, compliance, and IT areas — not just financial reporting — while external audit's scope is largely fixed by statute and financial statement assertions.

Model answer: Risk-based annual planning → engagement-level planning (scope, objectives, resourcing) → fieldwork (walkthroughs, testing, evidence gathering) → findings and draft observations → management response and root cause discussion → draft report → final report to Audit Committee → tracking remediation to closure.

See the full audit cycle diagram in Section 3 for a visual walkthrough panels often ask you to sketch on a whiteboard.

Model answer: Inherent risk is the susceptibility of an account or process to error or fraud before considering controls (e.g., cash is inherently riskier than fixed assets). Control risk is the risk that existing controls fail to prevent or detect that error. Detection risk is the risk that the auditor's own procedures fail to catch a material misstatement that controls missed.

Tip: Mention the relationship — Audit Risk = Inherent Risk × Control Risk × Detection Risk — to show you understand how these combine.

Model answer: Start with a walkthrough to confirm the control is designed appropriately. Then test operating effectiveness using inquiry, observation, re-performance, or inspection of documentary evidence, choosing sample sizes based on control frequency (daily controls need larger samples than annual ones).

Example: To test a "three-way match" control in procure-to-pay, select a sample of payments and inspect whether the purchase order, goods receipt note, and invoice were matched and approved before payment release.

Model answer: COSO is the Committee of Sponsoring Organizations' Internal Control–Integrated Framework, built on five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. Internal auditors use it as the benchmark to assess whether an organisation's control system is well-designed and operating.

A full diagram of the five COSO components is in Section 3.

Model answer approach: Use the STAR method (Situation, Task, Action, Result). Be specific about the control gap, how you identified it, how you escalated it professionally, and the measurable outcome — a process fix, a policy update, or quantified risk avoided.

See "The Duplicate Vendor" story in Section 3 for a fully worked example you can adapt.

Model answer: A finding/observation is the factual gap identified between what should happen (criteria) and what actually happens (condition), along with cause and effect. A recommendation is the auditor's proposed corrective action. Strong reports separate "what we found" from "what we suggest" so management can respond to each distinctly.

Model answer: Use a risk-based audit universe: score each auditable entity on impact (financial, regulatory, reputational) and likelihood, then plot on a risk heat map. High-impact, high-likelihood areas get priority; low-risk areas may be audited on a rotational, multi-year cycle instead.

Model answer: A compliance audit checks adherence to laws, regulations, policies, or contractual terms — pass/fail against a fixed standard. An operational audit evaluates efficiency and effectiveness of a process against best practice, even where no rule is technically broken — it's about value, not just rule-following.

Model answer: Organisationally, by reporting functionally to the Audit Committee rather than operational management. Individually, by not auditing areas you've worked in within the past 12 months, disclosing conflicts of interest, and basing conclusions strictly on evidence rather than relationships with the auditee.

Model answer: Statistical methods like random and stratified sampling for objective coverage, and judgmental/risk-based sampling to target high-risk or unusual transactions (round-sum amounts, weekend postings, transactions just under approval thresholds).

Model answer: Revisit the evidence calmly and ask what specifically they disagree with — facts, root cause, or rating. If the evidence is sound, hold the finding but document their formal response in the report rather than softening the conclusion. If they raise a valid point you missed, be willing to revise.

Model answer: Mention specific tools relevant to you — ACL/Galvanize, IDEA, Excel with Power Query/pivots, SQL for transaction queries, or audit management systems like TeamMate. Tie each to a concrete use: "I used IDEA to run duplicate-payment tests across two years of vendor data."

Model answer: First line: operational management who own and manage risk day-to-day. Second line: risk management and compliance functions that set policy and monitor risk. Third line: internal audit, which independently assures the Board that the first two lines are working effectively.

Diagram available in Section 3.

Model answer: Lead with an executive summary rating overall control health. Structure each finding with criteria, condition, cause, consequence, and recommendation. Use a clear risk rating for each issue, keep language factual and free of blame, and always include management's action plan and target date.

Model answer: Error is unintentional — a mistake in recording, calculation, or application of policy. Fraud is an intentional act involving deception for gain, typically requiring three conditions: pressure/incentive, opportunity, and rationalisation — the fraud triangle.

Model answer: Name real sources: IIA's International Professional Practices Framework (IPPF) updates, ICAI guidance notes, regulator circulars (RBI/SEBI depending on sector), and internal technical updates. Mention any certifications in progress (CIA, CISA, DISA).

Model answer: Stop normal testing in that area, preserve evidence without alerting the suspected party, and escalate immediately through your reporting line (Chief Audit Executive or fraud protocol) rather than confronting the individual yourself.

Model answer: Personalise this — common genuine angles include broader exposure across operations, IT, and strategy rather than financial statements alone; closer, advisory-style relationships with management; and a faster feedback loop between finding an issue and seeing the business fix it.

Model answer: Tie ambition to a realistic ladder — Internal Auditor → Senior Auditor → Audit Manager → Head of Internal Audit/CAE — and mention a specific specialisation (IT audit, forensic audit, treasury) backed by a certification plan.